Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/crypto/ghash-generic.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  * GHASH: hash function for GCM (Galois/Counter Mode).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  * Copyright (c) 2009 Intel Corp.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)  *   Author: Huang Ying <ying.huang@intel.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11)  * GHASH is a keyed hash function used in GCM authentication tag generation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13)  * The original GCM paper [1] presents GHASH as a function GHASH(H, A, C) which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14)  * takes a 16-byte hash key H, additional authenticated data A, and a ciphertext
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15)  * C.  It formats A and C into a single byte string X, interprets X as a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16)  * polynomial over GF(2^128), and evaluates this polynomial at the point H.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18)  * However, the NIST standard for GCM [2] presents GHASH as GHASH(H, X) where X
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19)  * is the already-formatted byte string containing both A and C.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21)  * "ghash" in the Linux crypto API uses the 'X' (pre-formatted) convention,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22)  * since the API supports only a single data stream per hash.  Thus, the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23)  * formatting of 'A' and 'C' is done in the "gcm" template, not in "ghash".
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25)  * The reason "ghash" is separate from "gcm" is to allow "gcm" to use an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26)  * accelerated "ghash" when a standalone accelerated "gcm(aes)" is unavailable.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27)  * It is generally inappropriate to use "ghash" for other purposes, since it is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28)  * an "ε-almost-XOR-universal hash function", not a cryptographic hash function.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29)  * It can only be used securely in crypto modes specially designed to use it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31)  * [1] The Galois/Counter Mode of Operation (GCM)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32)  *     (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.694.695&rep=rep1&type=pdf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33)  * [2] Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34)  *     (https://csrc.nist.gov/publications/detail/sp/800-38d/final)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) #include <crypto/algapi.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) #include <crypto/gf128mul.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) #include <crypto/ghash.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) #include <crypto/internal/hash.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) #include <linux/crypto.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) #include <linux/init.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) #include <linux/module.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) static int ghash_init(struct shash_desc *desc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 	struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 	memset(dctx, 0, sizeof(*dctx));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) static int ghash_setkey(struct crypto_shash *tfm,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 			const u8 *key, unsigned int keylen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 	struct ghash_ctx *ctx = crypto_shash_ctx(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) 	be128 k;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) 	if (keylen != GHASH_BLOCK_SIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 	if (ctx->gf128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) 		gf128mul_free_4k(ctx->gf128);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) 	BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) 	memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) 	ctx->gf128 = gf128mul_init_4k_lle(&k);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) 	memzero_explicit(&k, GHASH_BLOCK_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) 	if (!ctx->gf128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) 		return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) static int ghash_update(struct shash_desc *desc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 			 const u8 *src, unsigned int srclen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 	struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) 	struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 	u8 *dst = dctx->buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 	if (dctx->bytes) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 		int n = min(srclen, dctx->bytes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 		u8 *pos = dst + (GHASH_BLOCK_SIZE - dctx->bytes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 		dctx->bytes -= n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 		srclen -= n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 		while (n--)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 			*pos++ ^= *src++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 		if (!dctx->bytes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 			gf128mul_4k_lle((be128 *)dst, ctx->gf128);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) 	while (srclen >= GHASH_BLOCK_SIZE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 		crypto_xor(dst, src, GHASH_BLOCK_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 		gf128mul_4k_lle((be128 *)dst, ctx->gf128);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 		src += GHASH_BLOCK_SIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) 		srclen -= GHASH_BLOCK_SIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) 	if (srclen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) 		dctx->bytes = GHASH_BLOCK_SIZE - srclen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) 		while (srclen--)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) 			*dst++ ^= *src++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) static void ghash_flush(struct ghash_ctx *ctx, struct ghash_desc_ctx *dctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 	u8 *dst = dctx->buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 	if (dctx->bytes) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) 		u8 *tmp = dst + (GHASH_BLOCK_SIZE - dctx->bytes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 		while (dctx->bytes--)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) 			*tmp++ ^= 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) 		gf128mul_4k_lle((be128 *)dst, ctx->gf128);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) 	dctx->bytes = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) static int ghash_final(struct shash_desc *desc, u8 *dst)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 	struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) 	struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 	u8 *buf = dctx->buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) 	ghash_flush(ctx, dctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 	memcpy(dst, buf, GHASH_BLOCK_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) static void ghash_exit_tfm(struct crypto_tfm *tfm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) 	struct ghash_ctx *ctx = crypto_tfm_ctx(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) 	if (ctx->gf128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) 		gf128mul_free_4k(ctx->gf128);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) static struct shash_alg ghash_alg = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 	.digestsize	= GHASH_DIGEST_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) 	.init		= ghash_init,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) 	.update		= ghash_update,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 	.final		= ghash_final,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 	.setkey		= ghash_setkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 	.descsize	= sizeof(struct ghash_desc_ctx),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) 	.base		= {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 		.cra_name		= "ghash",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) 		.cra_driver_name	= "ghash-generic",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) 		.cra_priority		= 100,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) 		.cra_blocksize		= GHASH_BLOCK_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) 		.cra_ctxsize		= sizeof(struct ghash_ctx),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) 		.cra_module		= THIS_MODULE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) 		.cra_exit		= ghash_exit_tfm,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) 	},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) static int __init ghash_mod_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) 	return crypto_register_shash(&ghash_alg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) static void __exit ghash_mod_exit(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) 	crypto_unregister_shash(&ghash_alg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) subsys_initcall(ghash_mod_init);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) module_exit(ghash_mod_exit);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) MODULE_LICENSE("GPL");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) MODULE_DESCRIPTION("GHASH hash function");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) MODULE_ALIAS_CRYPTO("ghash");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) MODULE_ALIAS_CRYPTO("ghash-generic");
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.